Redis6.0 source reading (3) redis-server starts aclinit of the main process

FightForFuture 2020-11-08 16:58:50
redis6.0 redis source reading redis-server


We are reading redis-server During initialization , stay initServerConfig() And then you'll see a story about ACLInit The content of , And the note says :

  • The ACL subsystem must be initialized ASAP because thebasic networking code and client creation depends on it. in other words ,ACL The subsystem must be initialized this morning in the main process of initialization , Because the network communication and the operation and connection of the client all depend on this ACL Subsystem .

So this ACL What exactly is a subsystem , What role does he play in network communication and client connection operation , We can see from the official notes :[https://redis.io/topics/acl], We only select some important content to analyze , If you are interested, you can refer to the official document and operate it once to get familiar with .

Redis ACL yes Access ControlList Abbreviation , It allows certain connections to be restricted in terms of executable commands and accessible keys . The way it works is , After connecting , The client needs to provide a user name and a valid password for authentication : If the authentication phase is successful , Then the connection will be associated with the given user and the restrictions of that user . You can configure the Redis, So the new connection has been made through “ Default ” The user authenticates ( This is the default configuration ), So the side effect of configuring default users is , Only a specific subset of functionality can be provided for connections that are not explicitly verified .
In the default configuration ,Redis 6( The first one has ACL Version of ) And the old version of Redis Exactly the same , That is, every new connection can call all possible commands and access each key , therefore ACL Features backward compatibility with old clients and Applications . Again , Use requirepass The old method of configuring commands to configure passwords still works , But now all it does is set a password for the default user .

So why do we use ACL What about the system? :

  • You want to improve security by limiting access to commands and keys , So that untrusted clients do not have access , Trusted clients have only the lowest level of access to the database , In order to perform the required work . for example , Some clients may only be able to execute read-only commands .
  • You want to improve operational security , So that processes or people are not allowed to access Redis, Data or configuration damage due to software or manual errors . for example , from Redis Get the delayed job worker There is no reason to call FLUSHALL command .

ACL Another typical use of hosting Redis Examples are about .Redis Usually provided as a hosted service , Both for other internal customers Redis Infrastructure provided by the in-house corporate team , There are also services provided by cloud providers in software as a service settings . In both settings , We all want to make sure that the customer's configuration commands are excluded . The way in the past to do this through command renaming is a trick , It allows us not to ACL For a long time , But not ideal .

ACL There are a lot of orders , Specific can be used help Command view :

127.0.0.1:6379> ACL HELP
1) ACL <subcommand> arg arg ... arg. Subcommands are:
2) LOAD -- Reload users from the ACL file. from ACL Read user information from the file
3) SAVE -- Save the current config to the ACL file. Save current user information to ACL file
4) LIST -- Show user details in config file format. View the permission information of all users
5) USERS -- List all the registered usernames. View all registered user information
6) SETUSER <username> [attribs ...] -- Create or modify a user. Modify the permissions of a user
7) GETUSER <username> -- Get the user details. Get information about a user
8) DELUSER <username> [...] -- Delete a list of users. Delete one or more users
9) CAT -- List available categories. See the commands you can use
10) CAT <category> -- List commands inside category. View the subdivision command
11) GENPASS [<bits>] -- Generate a secure user password. Generate the password
12) WHOAMI -- Return the current connection username. View current login user
13) LOG [<count> | RESET] -- Show the ACL log entries.ACL Log

We are responding to the above order , Make a simple example :

1、 ACL SETUSER alice // establish alice This user
OK
2、 ACL LIST // see alice Whether to create successfully , And what permissions does this user use
1) "user alice off -@all"
2) "user default on nopass ~* +@all"
3、 ACL SETUSER alice on >p1pp0 ~cached:* +get // As described above , The newly created user does not have any permissions , Now we give him a string cached Of get jurisdiction
OK
4、 AUTH alice p1pp0 // Use aclice This user logs in
OK
5、 GET foo // Use it directly get There's no authority
(error) NOPERM this user has no permissions to access one of the keys used as arguments
6、 GET cached:1234 // in the light of cached Of get There is authority
(nil)
7、 SET cached:1234 zap // in the light of cached Of set Orders have no authority
(error) NOPERM this user has no permissions to run the 'set' command or its subcommand

We can also use getuser Command to see what we just created alice What rights do users have :

> ACL GETUSER alice
1) "flags"
2) 1) "on"
3) "passwords"
4) 1) "2d9c75..."
5) "commands"
6) "-@all +get"
7) "keys"
8) 1) "cached:*"

How to understand multiple calls SETUSER It's also very important what happened during this command , You know, every time we call SETUSER The user will not be reset , Instead, it just modifies the permissions of the user being operated on . This user will only be reset if it was previously unknown : In this case, it's equivalent to re creating an account , And the user has no permission to operate .

1、ACL SETUSER myuser +set // Set up for users set Authority to order
OK
2、ACL SETUSER myuser +get // Set up for users get Authority to order
OK
3、ACL LIST
1) "user default on nopass ~* +@all"
2) "user myuser off -@all +set +get" // Now you can see that this user has get and set Authority
set cached:1234 zap // Again using set Orders can be executed
OK

Maybe you'll say , So many commands, so many users , Is it too troublesome to set them one by one , I also feel tedious in the process of operating practice , therefore ACL Provides a button similar to one button settings :

ACL SETUSER antirez on +@all -@dangerous >42a979... ~*

By using +@all and -@dangerous You can set up most of the security commands , Of course, except for the command of the module .
So how do we know what commands there are :

 > ACL CAT
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
8) "string"
9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"

Suppose for geo What are the sub commands of the command :

> ACL CAT geo
1) "geohash"
2) "georadius_ro"
3) "georadiusbymember"
4) "geopos"
5) "geoadd"
6) "georadiusbymember_ro"
7) "geodist"
8) "georadius"

In general, the ability to exclude or include an entire command is not enough . many Redis The command performs a variety of operations based on the subcommand passed as an argument . For example, you can use CLIENT Command to perform dangerous and non hazardous operations . Many deployments may be reluctant to provide execution to non administrative users CLIENT KILL The function of , But they may still want to be able to run CLIENT SETNAME command .

ACL SETUSER myuser -client +client|setname +client|getname

-client The command starts to delete CLIENT command , Two allowed subcommands were added later . Please note that , You can't do the opposite , You can only add subcommands , You can't exclude subcommands , Because new subcommands may be added in the future : It is safer to specify all subcommands that are valid for some users . Besides , If you add a subcommand about a command that has not been disabled , An error is generated .

Through the above introduction, we can simply for a specific user operation, for some specific command operation .Redis Use in internal storage SHA256 Hash password , If you set a password and check LIST or GETUSER Output , You'll see a long hexadecimal string that looks like pseudo-random , This is a redis6.0 And then there are the characteristics , Anyone who has a little knowledge of programming should be familiar with SHA256 Generation , I don't want to make a specific introduction .

So this add user 、 Set user permissions , stay redis How to implement it in the code of , That brings us back to our theme ,ACLInit(), namely ACL Initialization of subsystem , We will find that , stay redis-server A default user is created during initialization of default

void ACLInit(void) {
Users = raxNew();
UsersToLoad = listCreate();
ACLLog = listCreate();
ACLInitDefaultUser();
server.requirepass = NULL; /* Only used for backward compatibility. */
}
void ACLInitDefaultUser(void) {
DefaultUser = ACLCreateUser("default",7);
ACLSetUser(DefaultUser,"+@all",-1);
ACLSetUser(DefaultUser,"~*",-1);
ACLSetUser(DefaultUser,"on",-1);
ACLSetUser(DefaultUser,"nopass",-1);
}

The storage structure used by each user is raxNode The cardinal tree , So what can we learn from the cardinal tree , Let's study and read together .

This paper mainly introduces redis-server During initialization ACL The process of subsystem initialization , And for different users can set some basic command operation authority of some operations , The final will be redis-server in default The process of user creation is shown , And introduce raxNode The concept of cardinal tree to be read and analyzed .

版权声明
本文为[FightForFuture]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云